Overview

Noname is a cyber security company that provides an API security solution.

Integrating your Noname logs to the Hunters ecosystem will allow storing the data in a parsed format, getting native alerts from Noname in your hunters portal, as well as investigate threat scenarios over it and getting related Hunters' detections for your tenant.

Supported Data Types

  • Noname issues- Noname native alerts.

Hunters Integration

To enable Hunters collection of Noname logs for your tenant you will need to provide Hunters two API Keys as you can see in the credentials sample below. Alternately , you can collect the Noname logs from your network to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

The expected format of the logs is the json format as exported by NoName. It is recommended to log the full schema, however any subset of the fields can be ingested given you are providing your specific schema to Hunters.

Noname API credentials sample

{'X-API-Key': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',

'X-API-Sign': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'}

Noname data sample

{"_id": "ANOMALY-Cross-Site Scripting-tempdomainbrokerdirect.com-/broker-resources/tag/announcements-noPolicy", "API": {"host": "tempdomainbrokerdirect.com", "path": "/broker-resources/tag/announcements", "method": "GET"}, "description": [], "module": "ANOMALY", "severity": "MEDIUM", "status": "OPEN", "time": "2021-11-15T04:00:52.000Z", "title": "3 Cross-Site Scripting", "children": [{"_id": "6312879190922210717", "ts": "2021-11-01T18:35:29.000Z", "host": "tempdomainbrokerdirect.com", "path": "/broker-resources/tag/announcements", "method": "GET", "module": "ANOMALY", "type": "Cross-Site Scripting", "status": "OPEN", "falsePositive": false, "falsePositiveHandled": false, "severity": "MEDIUM", "parameters": {"variable_type": ["RequestHeader"], "variable_value": ["javascript:/</script><img/onerror='-/\x22/-/ onmouseover=1/-/[*/[]/[(new(Image)).src=(/;/+/ciyxmi8swzi9vh52lphjmr9ge7k08rwjn7iu8ixX;.burpcollaborator.net/).replace(/.;/g,[])]//'src=>"], "message": ["NoScript XSS InjectionChecker: Attribute Injection", "XSS Filter - Category 2: Event Handler Vector", "NoScript XSS InjectionChecker: HTML Injection"], "rule_id": ["xss_attack_rule_6", "xss_attack_rule_3", "xss_attack_rule_5"], "user_ids": null}, "nodePath": "", "type_id": "982547", "version": "1", "users": ["1.1.1.1"], "datatypes": [], "history": [{"timestamp": "2021-11-01T18:35:29.000Z", "field": "status", "value": "OPEN"}], "userAgents": {}, "description": ["An attempt to exploit a cross-site scripting (XSS) vulnerability was detected."], "issueInfo": ["This could mean that a threat actor is trying to manipulate your system in order to exploit a vulnerability in the code or to access unauthorized functionality."], "remediation": ["We recommend that you review the user's activity and block the user's credentials as well as the originating IP address. This can be done by adding the user's IP address to an ACL deny-list or by blocking the user matching the User ID in the header by adding a rule to your WAF."], "remediationSteps": null, "reproduceSteps": null, "realAPI": {"host": "tempdomainbrokerdirect.com", "path": "/broker-resources/tag/announcements", "method": "GET"}, "title": "Cross-Site Scripting", "time": "2021-11-01T18:35:29.000Z", "id": "6312879190922210717", "originalApi": {"host": "tempdomainbrokerdirect.com", "path": "/broker-resources/tag/announcements", "method": "GET"}, "API": {"host": "tempdomainbrokerdirect.com", "path": "/broker-resources/tag/announcements", "method": "GET"}, "triggeredOn": "GET tempdomainbrokerdirect.com/broker-resources/tag/announcements", "owasp": []}